.. title: Getting LetsEncrypt certs non-invasively using nginx and webroot
.. slug: getting-letsencrypt-certs-non-invasively-using-nginx-and-webroot
.. date: 2018-06-20 11:51:25 UTC+02:00
.. tags:
.. category:
.. link:
.. description:
.. type: text
I finally found a nice way to get LetsEncrypt certificates integrated with websites behind a reverse-proxy.
Problem: I don't want certbot messing with my server configs, and I don't want to shut down my main web server just so I can get a cert using ``--standalone``.
.. TEASER_END
The way Nginx interprets ``location`` and ``root`` directives makes it really easy to solve this problem. Put a location for ``.well-known`` into your server config for non-SSL HTTP::
server {
server_name www.example.com;
listen 80;
location / {
rewrite ^(.*) https://$host$1;
}
location /.well-known/ {
root /srv/www.example.com;
}
}
Now::
mkdir /srv/www.example.com
certbot certonly --webroot -w /srv/www.example.com -d www.example.com
Certbot will now place the credentials somewhere under ``/srv/www.example.com/.well-known/yadda/IdontKnow``, nginx will serve it correctly, authentication will succeed and everyone will live happily ever after. No configuration fiddlements, no shutting down your server, it just freaking works -- and you can totally do that on a reverse proxy without the actual app ever knowing about it.